eramba does not have user defined workflows that reflect the organisation “step by step” process that gets something approved. this existed, got deleted in 1.x for various reasons and will exist again towards the end of the year.
how people handle things today and for the last years?
1- you upload policies, your “approval process” is offline (you use emails, etc) and once the approval is clear you update the reviews on eramba (with the updated version number and url/attachment/content) and attach the emails you used as an attachment to the review.
notifications in eramba can be used to remind people reviews are due soon and they should get prepared. you can also setup reports that come to you every week reminding you the list of reviews due in the next couple of weeks or what reviews already have expired. there are many possibilities there.
2- you want users to upload the policies they have drafted as newer versions to eramba directly, eramba will send emails with the warnings, the user clicks on the email, logs into eramba and will be redirected to the exact review record that is pending. they click on comments and attachment and write there where the url for the new version is or what is the new drafted policy document as an attachment. if you use the right permissions, the user can not edit, remove or do anything with the review so they just provide feedback.
you can configure emails that trigger on comments and attachments (as they are provided or as a digest) , so when they provide any feedback to the review you and them will see that as an email notificaiton. you can login and provide your opinon and so go back and forward until the policy terms are clear and approved.
once things are clear the grc team (generalising here…) can edit the review and complete it with the updated version, content/url/attachment and set a next reiview date. in essence the interactions of the workflow end up being documented on the review as comments and attachments.
3- you use the feedback option of a notication, which allows you to define a portal message and users to upload comments and attachments…but is only ONE WAY, meaning once they provided somethin the “feedback” is considered done and no further uploads are allowed (please see the notification documetnation on feedback)
4- your workflow approvals exist in some other tool (sharepoint,etc) and you dont want eramba for that, you just want eramba to link policies to risks compliance, etc (the policies will hold the url reference to the actual place where they are) and so you upload policies to eramba and remove (delete) the “future” review records so you never get the “review expired” warning on the system.
We have been running this project for many years, the most common option is #1 and then #2 , option #3 is very new (feedback only exists for a few months).
eramba is 3000 EUR or so a Year - an hour of consulting is 80 EUR. Not spending 4 hours of consulting to make sure you understood the documentation well and have an opinion from the team that has been implementing eramba for a long time all around the world is in my opinion a mistake. We dont force people to spend into onsite trainings or consulting hours (as any other grc company would do) because the vast majority of customers dont need it, but if you think you need it … i would not even doubt it.
There you go - our advice!